Try this first
- 1Entra > Devices > All devices. Sort by 'Activity' or 'Last sign-in'. Anything inactive for more than 90 days is a candidate.
- 2For each suspect device: check the 'Owner' column. Still the same user? Still working here? Did they not get a new laptop ages ago?
- 3Select and disable (do not delete immediately, wait 30 days, leaves room for 'oh wait, that laptop is in the attic').
- 4Same for MFA methods: per user (Entra > Users > Authentication methods) you see all phones and authenticator apps. Remove old numbers.
- 5Schedule this every three months. Not yearly, the pile gets too big.
When to bring us in
No idea which devices are 'real'? We can look at sign-in logs alongside the owner column and figure out what is safe to remove.
See also
- I think I clicked a phishing linkNo shame, happens to everyone. The next fifteen minutes matter.
- A colleague's account is acting strangelySending mail in their name, rules hiding folders, unusual sign-ins. Suspicious.
- Lost the MFA app: new phone, no backup codesClassic problem after a phone upgrade. You are not the first to be locked out.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.